What measures can organizations take to prevent such exposures?

Organizations should adopt advanced secrets detection methods that can effectively identify and mitigate vulnerabilities in modern web applications, especially those involving front-end code.

Intruder 2026: Unveiling Exposed Secrets in JavaScript Bundles

Q: Why did traditional security tools fail to detect these exposed tokens?

Traditional security tools often lack the capability to detect secrets embedded in front-end code, particularly within single-page applications, leading to these exposures being overlooked.

Discover how Intruder's latest research uncovered over 42,000 exposed tokens in JavaScript bundles, revealing critical security gaps in modern web applications.

Published: February 18, 2026

Share this on:

Executive Summary

In December 2025, Intruder's research team conducted a comprehensive scan of 5 million applications, uncovering over 42,000 exposed tokens hidden within JavaScript bundles. These tokens included sensitive credentials such as code repository access tokens and project management API keys, many of which were active and provided unauthorized access to critical systems. The exposure was attributed to limitations in traditional security tools, which often fail to detect secrets embedded in front-end code, particularly within single-page applications. This incident underscores the urgent need for enhanced secrets detection methods that can effectively identify and mitigate such vulnerabilities in modern web applications.

Why This Matters Now

The widespread exposure of sensitive tokens in JavaScript bundles highlights a significant blind spot in current security practices, emphasizing the necessity for organizations to adopt advanced detection tools to safeguard against unauthorized access and potential data breaches.

Attack Path Analysis

An attacker exploited exposed API keys embedded in JavaScript code to gain unauthorized access to sensitive systems. Using these credentials, they escalated privileges to access critical resources. The attacker then moved laterally within the network, accessing additional services and data. They established a command and control channel to maintain persistent access. Sensitive data was exfiltrated through this channel. Finally, the attacker caused significant impact by disrupting services and compromising data integrity.

Kill Chain Progression

Initial Compromise

High

Privilege Escalation

Medium

Lateral Movement

Medium

Command & Control

Medium

Exfiltration

High

Impact

Medium

Initial Compromise

Description

The attacker discovered and exploited exposed API keys embedded in JavaScript code to gain unauthorized access to sensitive systems.

Confidence:

High

MITRE ATT&CK® Techniques

Techniques identified for SEO/filtering; may be expanded with full STIX/TAXII enrichment later.

Credential Access

T1528

Steal Application Access Token

Credential Access

T1539

Steal Web Session Cookie

Execution

T1059.007

JavaScript

Execution

T1106

Native API

Credential Access

T1649

Steal or Forge Authentication Certificates

Potential Compliance Exposure

Mapping incident impact across multiple compliance frameworks.

PCI DSS 4.0 – Secure Software Development

Control ID: 6.3.1

Embedding API keys in front-end code violates secure coding practices, potentially exposing sensitive data to unauthorized parties.

NYDFS 23 NYCRR 500 – Cybersecurity Policy

Control ID: 500.03

The exposure of API keys indicates inadequate implementation of cybersecurity policies, leading to potential data breaches.

DORA – ICT Risk Management Framework

Control ID: Article 5

Failure to protect API keys in front-end code reflects insufficient ICT risk management, compromising operational resilience.

CISA ZTMM 2.0 – Data

Control ID: Pillar 3

Exposing API keys in client-side code undermines data security principles, allowing unauthorized access to sensitive systems.

NIS2 Directive – Cybersecurity Risk Management Measures

Control ID: Article 21

The incident demonstrates a lack of appropriate technical measures to manage cybersecurity risks, as required by the directive.

Sector Implications

Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.

Computer Software/Engineering

JavaScript secrets exposure affects software development teams with hardcoded API keys bypassing SAST controls, requiring enhanced egress security and threat detection capabilities.

Financial Services

Exposed repository tokens and API keys threaten financial applications' data integrity, demanding zero trust segmentation and multicloud visibility for regulatory compliance.

Information Technology/IT

IT infrastructure faces critical risk from 42,000 exposed secrets in JavaScript bundles, necessitating comprehensive anomaly detection and secure hybrid connectivity solutions.

Computer/Network Security

Security sector must address JavaScript secrets detection gaps through enhanced inline IPS capabilities and cloud native security fabric implementations for client protection.

Sources

What 5 Million Apps Revealed About Secrets in JavaScripthttps://www.bleepingcomputer.com/news/security/what-5-million-apps-revealed-about-secrets-in-javascript/
Verified

Intruder Uncovers New Secrets Detection Techniques, Finds Thousands of Exposed Tokens Unaddressed by Traditional Methodshttps://www.businesswire.com/news/home/20251211585215/en/Intruder-Uncovers-New-Secrets-Detection-Techniques-Finds-Thousands-of-Exposed-Tokens-Unaddressed-by-Traditional-Methods

Verified

Secrets in your Bundle(.js) - The Gift Attackers Always Wantedhttps://www.intruder.io/research/secrets-detection-javascript

Verified

Frequently Asked Questions

The research uncovered over 42,000 exposed tokens, including code repository access tokens and project management API keys, many of which were active and provided unauthorized access to critical systems.

Cloud Native Security Fabric Mitigations and ControlsCNSF

Aviatrix Zero Trust CNSF is pertinent to this incident as it could have constrained the attacker's ability to exploit exposed API keys, escalate privileges, move laterally, establish command and control channels, exfiltrate data, and disrupt services by enforcing strict segmentation and identity-aware policies.

Initial Compromise

Control: Cloud Native Security Fabric (CNSF)

Mitigation: The attacker's ability to exploit exposed API keys would likely be constrained, reducing unauthorized access to sensitive systems.

Privilege Escalation

Control: Zero Trust Segmentation

Mitigation: The attacker's ability to escalate privileges would likely be constrained, reducing unauthorized access to critical resources.

Lateral Movement

Control: East-West Traffic Security

Mitigation: The attacker's lateral movement would likely be constrained, reducing unauthorized access to additional services and data.

Command & Control

Control: Multicloud Visibility & Control

Mitigation: The attacker's ability to establish command and control channels would likely be constrained, reducing persistent unauthorized access.

Exfiltration

Control: Egress Security & Policy Enforcement

Mitigation: The attacker's ability to exfiltrate sensitive data would likely be constrained, reducing unauthorized data transfer to external servers.

Impact (Mitigations)

The attacker's ability to disrupt services and compromise data integrity would likely be constrained, reducing the overall impact of the attack.

Impact at a Glance

Affected Business Functions

Software Development
Project Management
Version Control
Continuous Integration/Continuous Deployment (CI/CD)

Operational Disruption

Estimated downtime: N/A

Financial Impact

Estimated loss: N/A

Data Exposure

Exposure of sensitive API keys and tokens, including GitHub and GitLab personal access tokens, project management API keys, and other service credentials, potentially leading to unauthorized access to code repositories, project management systems, and other critical services.

Recommended Actions

• Implement Zero Trust Segmentation to enforce least privilege access and prevent unauthorized lateral movement.
• Utilize Multicloud Visibility & Control to monitor and manage API key usage across all environments.
• Apply Egress Security & Policy Enforcement to restrict unauthorized data exfiltration.
• Deploy Threat Detection & Anomaly Response systems to identify and respond to suspicious activities.
• Regularly audit and rotate API keys to minimize the risk of credential exposure.

Secure the Paths Between Cloud Workloads

A cloud-native security fabric that enforces Zero Trust across workload communication—reducing attack paths, compliance risk, and operational complexity.

Stop Advanced Threats Get a Free Workload Attack Path Assessment Under Active Attack?

Intruder 2026: Unveiling Exposed Secrets in JavaScript Bundles

Executive Summary

Why This Matters Now

Attack Path Analysis

Kill Chain Progression

Initial Compromise

Description

MITRE ATT&CK® Techniques

Steal Application Access Token

Steal Web Session Cookie

JavaScript

Native API

Steal or Forge Authentication Certificates

Potential Compliance Exposure

PCI DSS 4.0 – Secure Software Development

NYDFS 23 NYCRR 500 – Cybersecurity Policy

DORA – ICT Risk Management Framework

CISA ZTMM 2.0 – Data

NIS2 Directive – Cybersecurity Risk Management Measures

Sector Implications

Computer Software/Engineering

Financial Services

Information Technology/IT

Computer/Network Security

Sources

Frequently Asked Questions

Cloud Native Security Fabric Mitigations and ControlsCNSF

Impact at a Glance

Affected Business Functions

Recommended Actions

Key Takeaways & Next Steps

Secure the Paths Between Cloud Workloads